The namesake sign outside Epic’s headquarters in Verona, Wisconsin.
Source: Yiem via Wikipedia CC
Epic Systems, the largest provider of medical records management software, says a venture-backed startup called Particle Health is using patient data in unauthorized and unethical ways that have nothing to do with treatment.
Epic told customers in a statement Thursday that it had severed its connection with Particle, blocking the company’s ability to use a system with more than 300 million patient records. Particle is one of several companies that acts as a sort of middleman between Epic and the organizations — typically hospitals and clinics — that need the data.
Patient data is inherently sensitive and valuable and is protected by the Health Insurance Portability and Accountability Act, or HIPAA, a federal law that requires the patient’s consent or knowledge for third-party access. One way to access Epic’s electronic health records (EHR) is through an interoperability network called Care, which facilitates the exchange of more than 400,000 documents per month, according to its website. Particle is a member of the Carequality network.
To join the network, organizations are vetted and must agree to adhere to clear “Permitted Purposes” for sharing patient data. Epic responds to requests for data that fall within the permitted purpose of “Treatment,” meaning that the recipient provides care to the individual whose records are requested.
Epic said in a statement Thursday that it filed a formal dispute with Carequality on March 21 over concerns that Particle and its participating organizations “may be misrepresenting the purpose associated with their file retrievals.” The company suspended its connection with Particle that day.
“This poses potential security and privacy risks, including the potential for HIPAA Privacy Rule violations,” Epic said in the statement, obtained by CNBC.
In a suspension late Friday, Carequality said it takes the disputes “very seriously and is committed to maintaining the integrity of the dispute resolution process as well as reliable exchange within the framework.” The organization said it cannot comment on disputes or member activities.
Representatives for Epic and Particle did not respond to requests for comment. However, Particle published a suspension Friday night and said it began “addressing this issue immediately” after Epic “stopped responding to data requests from a subset of customers” on March 21. Particle said in the post that a major challenge in such matters is that there is “no standard reference to assess the definition of Treatment.”
“These definitions have become more difficult to delineate as care becomes more complex with providers, payers and payers consolidating into various large health care conglomerates,” Particle wrote.
Epic, a 45-year-old privately held company based in Wisconsin, is The largest EHR vendor per US hospital market share, with 36% of the market, according to a May report from KLAS survey. Oracle it’s second at 25%, after the software company’s $28 billion purchase of Cerner in 2022.
As of July 2022, Particle had raised a total of $39.3 million from investors including Menlo Ventures, Story Ventures and Pruven Capital, according to a liberation. The New York startup said at the time that its technology “combines unique data from 270 million plus patient medical records, aggregating and unifying healthcare records from thousands of sources.”
Epic said Particle entered thousands of new participant logins into Carequality in October and claimed they fall under the treatment use case. In the months that followed, all of Particle’s participating organizations claimed a permissible treatment purpose for their requests, Epic said.
“Uncured Use Case”
However, Epic started to notice some red flags. The company said it noticed anomalies in patient record sharing patterns, such as requests for a large number of records in a specific geographic area. In addition, Epic said Particle-related companies were not submitting new patient data, which “indicates a non-treatment use case.”
Epic and its Care Everywhere Governing Council, comprised of 15 industry representatives, evaluated Particle’s new participant connections and determined that organizations such as Integritort, MDPortals and Reveleer, which acquired MDPortals last year, it “probably did not comply with a Permitted Treatment Purpose,” the statement said.
Epic said it learned another Carequality member planned to file a dispute, alleging Integritort was using patient data to try to identify potential class action participants. On March 28, Epic said it discovered that a participant named Novellia claimed to be requesting files under treatment, despite publicly advertising its product as a “personal health tool.”
Integritort, Reveleer and Novellia did not respond to requests for comment.
Epic said it filed a formal dispute with Carequality at the Board’s recommendation. On April 4, Epic asked Particle to provide additional information to show how its participants qualify for the treatment use case, according to the notice.
Michael Marchant, director of interoperability and innovation at University of California Davis Health, serves as chair of Epic’s Board of Directors. He said it’s hard to know exactly why Particle might have provided records to those organizations or whether it intentionally engaged in wrongdoing. But, he said, companies must act responsibly even if they are under pressure to deliver financial results.
“If they were selling to things that they knew weren’t therapeutic-related organizations in an effort to match VC funding or profit margins or revenue targets or what have you, then that would be very bad,” Marchant told CNBC in his interview.
In a statement on LinkedIn On Wednesday, Particle founder Troy Bannister said that Epic acted unilaterally and that Particle has not seen “reason, justification or official allegations” surrounding these issues.
Bannister wrote that, as far as the company is aware, “all affected partners are immediately supporting the treatment.” He said these organizations pull data on care providers and share data in the Carequality network.
“While we continue to maintain our connection to Carequality, the ability of an executive to decide, without evidence or even warning, to disconnect providers on a massive scale, jeopardizes clinical operations for hundreds of thousands of patients as well as the confidence that they are so critical to an exchange based on trust,” Bannister wrote.
Bannister did not respond to Epic’s April 4 request for additional information.
The formal dispute process is still ongoing. Marchant, who also serves as co-chair of an advisory board at Carequality, said it’s the first time in the network’s history that a complaint has gone this far.
I’M WATCHING: Insurer shares fall with Medicare rates